Accepted

AEMaCS Author: Prevent the caching of sensitive data in browser

Nelya-M · 2023-02-16T22:13:30+00:00

Request for Feature Enhancement (RFE) Summary: Prevent the browser caching of (potentially) sensitive data (e.g. some personal data of the logged-in user) Use-case: AEMaCS Author sets the Cache-Control header with a directive that does not prevent the caching of sensitive data in the user’s browser. An attacker gaining access to the browser of a user with which sensitive information has been retrieved can get insights into the data by reading the cache. Current/Experienced Behavior: The application does not prevent the caching of (potentially) sensitive data. In the responses, the value of the Cache-Control header is set to ”no-cache”, as can be seen in the following screen- shot (please check the attached report.) The “no-cache” instruction only ensures that the browser validates that the content is up-to-date on the server before using the cache. A look into the browser cache shows that sensitive data (e.g. some personal data of the logged-in user) is stored there. Improved/Expected Behavior: Set the following caching directives for any response which contains sensitive information. Pragma: no-cache Cache-Control: no-cache Cache-Control: no-store Most web browsers and proxy servers respect these directions and will not write data into their cache store. Environment Details (AEM version/service pack, any other specifics if applicable): AEMaCS Author Customer-name/Organization name: Screenshot (if applicable): Code package (if applicable):

Forum|Forum|2 years ago
February 16, 2023
3 replies
598 views

Request for Feature Enhancement (RFE) Summary:	Prevent the browser caching of (potentially) sensitive data (e.g. some personal data of the logged-in user)
Use-case:	AEMaCS Author sets the Cache-Control header with a directive that does not prevent the caching of sensitive data in the user’s browser. An attacker gaining access to the browser of a user with which sensitive information has been retrieved can get insights into the data by reading the cache.
Current/Experienced Behavior:	The application does not prevent the caching of (potentially) sensitive data. In the responses, the value of the Cache-Control header is set to ”no-cache”, as can be seen in the following screen- shot (please check the attached report.) The “no-cache” instruction only ensures that the browser validates that the content is up-to-date on the server before using the cache. A look into the browser cache shows that sensitive data (e.g. some personal data of the logged-in user) is stored there.
Improved/Expected Behavior:	Set the following caching directives for any response which contains sensitive information. Pragma: no-cache Cache-Control: no-cache Cache-Control: no-store Most web browsers and proxy servers respect these directions and will not write data into their cache store.
Environment Details (AEM version/service pack, any other specifics if applicable):	AEMaCS Author
Customer-name/Organization name:
Screenshot (if applicable):
Code package (if applicable):

kautuk_sahni

Community Manager

@nelya-m

Thanks for proposing this idea

This has been reported to the engineering under the internal reference SITES-11909. The product team will triage this request to verify feasibility based on the prioritization model. This post will be updated according to the Jira request status.

Kautuk Sahni

N

Nelya-MAuthor

Hi @kautuk_sahni ,

Thank you for the prompt reaction and addressing the issue to the engineering, looking for updates and possible timeline.

Best regards

kautuk_sahni

Community Manager

@nelya-m This recommendation has been accepted.

Kautuk Sahni